There are eight new security stuff-ups affecting various editions of Microsoft IIS (Internet Information Server), the most serious of which will enable an attacker to take over the system, MS revealed today.

If you're wondering why you haven't heard about them before, chalk it up to Trustworthy Computing, a Redmond policy which leaves everyone exposed to attack until MS is satisfied with its patches and spills the beans. We prefer to know these things as soon as possible so we can look into temporary workarounds and shutter the window of opportunity straight away, but MS is clearly opposed to that approach. (One workaround we rather like is called Apache, but we digress....)

Before we get into the gory details, we have to mention that we've received anecdotal reports that some of the MS patches have been breaking some of the machines they're installed on. So do test them before integrating them into critical systems. If you've installed one of the patches, I'd like to hear from you whether your experience was good or bad, in hopes of confirming the problem or, alternatively, putting the rumor down.

And now for a brief roundup.

First up, a buffer overflow involving chunked encoding with the ASP (Active Server Page) ISAPI filter. This can be exploited to crash or run arbitrary code on the machine. Essentially, an attacker can cause IIS to miscalculate incoming data and so allocate undersized buffers. There's a good writeup and a sample exploit by eEye, which discovered it, posted here. Affects IIS 4.0 and 5.0.

Next, a mysterious one which Microsoft claims to have discovered and which it says "is related to the preceding one, but which lies elsewhere within the ASP data transfer mechanism." Whatever it is, it appears it can be exploited much like the chunk encoding flaw above, and affects IIS 4.0, 5.0 and 5.1.

Unless someone else coined the term before, then Mickey already has the copyright. Copyright law (Berne Convention) does not require or demand its registration, only its originality and that it hasn't lapsed into or been given to the public domain.

Unless someone else coined the term before, then Mickey already has the copyright. Copyright law (Berne Convention) does not require or demand its registration, only its originality and that it hasn't lapsed into or been given to the public domain.

Click to expand...

I hereby release the term Mickey$oft to the the public domain !
There we go !